VeriSign has warned workers of the theft of a laptop that contained their personal information.
The laptop was stolen from a car parked in the garage of a California worker sometime on the night of 12 July. The laptop contained personal information - name, Social Security number, date of birth, salary information, telephone …

a potential use for DRM ?

If this had been a music track instead of personal details you just know that it would have been riddled with DRM which would mean that the raw data could not be got at, and it could only be used in the correct authorised programs etc etc.

I think the mistake was in letting it be possible to get hold of the data in an unencrypted form to begin with, obviously users cant be trusted with it despite company policies, the same way that the MAFIAA dont trust users with unencrypted media despite laws forbidding copying.

So why doesnt someone apply the same kind of principles to data files too, maybe openoffice could get ahead here by implimenting something like this. Have a way to mark a document/spreadsheet/db file, whatever, as 'must be encrypted' and enforce that once loaded it cant be saved, or cut and paste out of the application in an unencrypted way.

It doesnt have to be majorly secure, there will always be the 'analog hole' of screen scraping etc, but if all the basic operations are covered then the average idiot user (they must be idiots otherwise they wouldnt have needed this) wont end up with unencrypted data on a stealable device.

Re: a potential use for DRM ?

DRM my possibly help, especially if it was a random opportunistic theft. However I'd avoid using any flawed technology from the music industry.

The DRM implementations for restricting music are not truly secure in the technical sense, since the OS/software/licenses/media files contain all the information to play the contents without requiring any passwords. Instead they employ security by obscurity. The media is encrypted, however by necessity the decryption keys are included with the player/user license files, which implies they are available by reverse engineering the software. The encryption is a genuine headache for legitimate users, however it should not be considered secure from an attacker who can reverse engineer the software (just like the DVD).

A real solid portable (unconnected) DRM platform would still be vulnerable to brute force/dictionary password attacks. Expect toolkits to simplify the process as DRM becomes more common for business security. A security key could help here except in all likeliness it gets stolen with the laptop.

Interestingly the most modern CPUs have begun integrating TPM units into their designs, which basically limit the possibility of reverse engineering by making sure the software is encrypted and only the hardware knows how to decrypt it. It is much harder to hack the keys out of hardware, and assuming the keys do not get leaked somehow this may finally be considered "secure".

Yes, cupid stunts

I can only agree. If you don't want confidential information getting out, don't put it where it can be leaked!

I was once told by a CIO of a large bank that they didn't worry about that kind of data getting out because all of their laptops were password protected. So I grabbed his laptop, pulled the drive (2 minutes, I'm slow), plugged it into an external drive enclosure (1 minute, these are easier) and was reading data in less than 30 seconds (it's an old laptop). He said they were going to require encryption on all laptops. Just like VeriSign.

They let it leave?

[1] the data would be secured to the highest practical level (considering available technology):

-[a] every machine in the place (especially portable devices) would have an encrypted file system (and, come to think, would be a Mac, UNIX, Linux, or mainframe box, depending on purpose);

-[b] every user (including janitorial staff) would be trained on security practices, evaluated on compliance with same, and required to log in using one of those RSA-type fobs with random numeric key sequences (i prefer CryptoCard on BSD, actually);

-[c] visitors and consultants would have to sign NDAs and confidentiality agreements that make them individually liable for damages; they would also require oversight, and would be given very limited access (no data to be transferred off premises), which would end the moment they are finished work;

-[d] all laptops and portable devices would have call-home and remote-kill LoJack-type functionality, and all connections would be encrypted and secure.

[2] this individual would be facing a civil lawsuit.

[3] the person wouldn't "leave", they would be fired for negligence and escorted off the premises, their manager would be subjected to an audit and an investigation (at least), and that's what the press release would say, too.

aside from all that, whenever this sort of thing happens, i always get a mighty urge to throw the idiot so hard that the moron would bounce.

this company is (supposedly) a security vendor (among other things); they should try harder to act the part (they're far from broke, and their profit outlook is excellent).

unfortunately, VeriSign (and NSI before that) has never had its stuff together. they were always fsckups, so no news here (just had to deal with them last year, and they were still fscked up). this twit likely fit into their culture of incompetence just fine, and was probably either management or HR, or maybe both.